HiveBrain v1.2.0
Get Started
← Back to all entries
patternMinor

Tracing failed login attempts in Oracle

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
loginfailedattemptsoracletracing

Problem

I have some users who are logging in with a wrong password and their accounts get locked.

Now I need to find the source of the failed login attempt. The machine, username etc.

Is it possible to find this?

I did try

select ntimestamp#, userid, userhost, spare1, comment$text from sys.aud$ where returncode=1017 order by 1;


and also,

select OS_USERNAME,USERNAME,USERHOST,to_char(timestamp,'MM-DD-YYYY HH24:MI:SS'), returncode
from dba_audit_trail 
where returncode > 0


Both the above queries show up results but I'm not sure if the results are the ones which actually gets locked.

Server - RHEL
DB - Oracle 12c

Solution

You are on the right way.
Column RETURNCODE in DBA_AUDIT_TRAIL or RETURN_CODE in UNIFIED_AUDIT_TRAIL view.

http://docs.oracle.com/database/121/REFRN/GUID-A9993FAC-12D3-4725-A37D-938CC32D74CC.htm#REFRN23023


This view is populated only in an Oracle Database where unified
auditing is not enabled. When unified auditing is enabled in Oracle
Database, the audit records are populated in the new audit trail and
can be viewed from UNIFIED_AUDIT_TRAIL.

Oracle documentation is always a very good source of information.

Context

StackExchange Database Administrators Q#124039, answer score: 3

Revisions (0)

No revisions yet.